From aa735b02196cf6f947fd1e4b2ec46b544ec7c3e1 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Thu, 28 Dec 2023 17:32:06 +0100
Subject: [PATCH] units: add ConditionSecurity=tpm2 to systemd-tpm2-setup units

ConditionSecurity=measured-uki can be true even with TPM 1.2 which we
don't support, so add an explicit check for TPM 2.0.

Fixes https://github.com/systemd/systemd/issues/30650

Follow-up for 2e64cb71b9c0160c3
---
 units/systemd-tpm2-setup-early.service.in | 1 +
 units/systemd-tpm2-setup.service.in       | 1 +
 2 files changed, 2 insertions(+)

diff --git a/units/systemd-tpm2-setup-early.service.in b/units/systemd-tpm2-setup-early.service.in
index c1597ea3f9..57fe5e2537 100644
--- a/units/systemd-tpm2-setup-early.service.in
+++ b/units/systemd-tpm2-setup-early.service.in
@@ -14,6 +14,7 @@ DefaultDependencies=no
 Conflicts=shutdown.target
 Before=sysinit.target shutdown.target
 ConditionSecurity=measured-uki
+ConditionSecurity=tpm2
 ConditionPathExists=!/run/systemd/tpm2-srk-public-key.pem
 
 [Service]
diff --git a/units/systemd-tpm2-setup.service.in b/units/systemd-tpm2-setup.service.in
index 6c99f3af0a..9d882d690f 100644
--- a/units/systemd-tpm2-setup.service.in
+++ b/units/systemd-tpm2-setup.service.in
@@ -16,6 +16,7 @@ After=systemd-tpm2-setup-early.service systemd-remount-fs.service
 Before=sysinit.target shutdown.target
 RequiresMountsFor=/var/lib/systemd/tpm2-srk-public-key.pem
 ConditionSecurity=measured-uki
+ConditionSecurity=tpm2
 ConditionPathExists=!/etc/initrd-release
 
 [Service]